{"id":194641,"date":"2021-01-19T01:43:44","date_gmt":"2021-01-19T01:43:44","guid":{"rendered":"https:\/\/premium.wpmudev.org\/blog\/?p=194641"},"modified":"2021-01-19T01:43:44","modified_gmt":"2021-01-19T01:43:44","slug":"free-wordpress-security-scanners","status":"publish","type":"post","link":"https:\/\/wpmudev.com\/blog\/free-wordpress-security-scanners\/","title":{"rendered":"Test Your WordPress Site Security &#8211; 6 Free WordPress Security Scanners"},"content":{"rendered":"<p>We think our security plugin, Defender, is pretty darn good, but we\u2019d never tell you to put all your eggs in one basket. Even with a super-reliable and robust security plugin, you should still carry out extra checks on your site&#8217;s security\u2026<\/p>\n<p>Gone are the days where the only way to infiltrate someone\u2019s computer or accounts was to send them a virus disguised as a pdf or manually guess their passwords.<\/p>\n<p>Nowadays, hacking is easy. It\u2019s automated.<\/p>\n<p>Bots can brute-force their way into a site, create fake administrator accounts, and scan the network for vulnerabilities and valuable files in a matter of seconds.<\/p>\n<p>This means that you no longer need a determined enemy in order to be the victim of an attack.<\/p>\n<p>And since attacks are always on the rise, it makes sense to take whatever precautions are available in order to protect your site and ultimately, your visitors.<\/p>\n<p>One of these precautions is simply taking the time to check your site from a few different sources.<\/p>\n<p>Read on as we take a look at some of the best free tools out there.<\/p>\n<p><a href=\"#defender\">1. Defender<\/a><br \/>\n<a href=\"#tools\">2. WordPress Tools<\/a><br \/>\n<a href=\"#wprecon\">3. wpRecon<\/a><br \/>\n<a href=\"#virustotal\">4. VirusTotal<\/a><br \/>\n<a href=\"#mozilla\">5. Mozilla Observatory<\/a><br \/>\n<a href=\"#google\">6. Google Transparency Report<\/a><\/p>\n<h2 id=\"defender\">1. Defender<\/h2>\n<p>Hopefully, you\u2019re already using <a href=\"https:\/\/wordpress.org\/plugins\/defender-security\/\" target=\"_blank\">Defender<\/a> to protect your site against malicious attacks, however, did you know it has an awesome scan feature, as well as a comprehensive rundown of things you can do to improve your site security?<\/p>\n<p>Let\u2019s start with the scan.<\/p>\n<p>To begin a scan, click on Defender\u2019s Malware Scanning option in the WordPress sidebar.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_194642\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194642\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/defender-malware-scan.png\" alt=\"Screenshot of Defender about to start a scan \" width=\"600\" height=\"318\" \/><figcaption class=\"wp-caption-text\">Click Run Scan.<\/figcaption><\/figure>\n<p>Defender will then highlight any files that it thinks are suspicious, such as core files which have been edited or don\u2019t come as standard.<\/p>\n<figure id=\"attachment_194643\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194643\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/defender-scan-results.png\" alt=\"Screenshot of Defender's scan results showing two potentially malicious files.\" width=\"600\" height=\"398\" \/><figcaption class=\"wp-caption-text\">Defender will check your core files against the originals in the WordPress repository.<\/figcaption><\/figure>\n<p>You\u2019ll need to check through the files to decide whether they pose a risk, or whether they are changes you&#8217;ve made yourself.<\/p>\n<p>You then have three options:<\/p>\n<ul>\n<li>If you don\u2019t think a certain file should exist at all, you can delete it.<\/li>\n<li>If you believe a core file has been tampered with, you can restore it to the original &#8211; Defender will replace it with a fresh copy.<\/li>\n<li>If you trust these files, you can ask Defender to ignore them in future scans.<\/li>\n<\/ul>\n<figure id=\"attachment_194644\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194644\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/suspicious-file.png\" alt=\"Screenshot of a suspicious file in Defender showing the snipper of code.\" width=\"600\" height=\"780\" \/><figcaption class=\"wp-caption-text\">Defender will even show you the code in question.<\/figcaption><\/figure>\n<p>Ensuring that no code has been tampered with is a great way to keep on top of your site security.<\/p>\n<p>Defender goes one step further. It can carry out an overall check on your site security to give you recommendations if there are vulnerabilities on your site that could easily be fixed.<\/p>\n<p>Simply head to the <strong>Recommendations<\/strong> section to find out if Defender has picked up any vulnerabilities.<\/p>\n<figure id=\"attachment_194645\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194645\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/security-recommendations.png\" alt=\"Screenshot of the security recommendations with Defender.\" width=\"600\" height=\"212\" \/><figcaption class=\"wp-caption-text\">It will give you a list of all the current recommended steps.<\/figcaption><\/figure>\n<p>You can click on each item individually to see more information. Defender can even provide you with instructions to fix it!<\/p>\n<figure id=\"attachment_194667\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194667\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/disclosure-protection-code-1.png\" alt=\"The code needed to fix the issue.\" width=\"600\" height=\"807\" \/><figcaption class=\"wp-caption-text\">The instructions and code are provided.<\/figcaption><\/figure>\n<p>Defender will also let you know what you\u2019re doing right, by listing all the precautions you have already taken.<\/p>\n<p>Simply navigate to the <strong>Actioned<\/strong> tab on the left of Defender\u2019s screen.<\/p>\n<figure id=\"attachment_194648\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194648\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/actioned-vulnerabilities.png\" alt=\"Screenshot of all the actioned vulnerabilities.\" width=\"600\" height=\"543\" \/><figcaption class=\"wp-caption-text\">Aim to get all recommendations into the Actioned column for the best chance of securing your site.<\/figcaption><\/figure>\n<p>Like what you see?<\/p>\n<p>Check out our full guide on <a href=\"https:\/\/wpmudev.com\/blog\/how-to-get-the-most-out-of-defender-security\/\" target=\"_blank\">how to get the most out of Defender<\/a>, and if you host with us, take a look at how it <a href=\"https:\/\/wpmudev.com\/blog\/securing-your-wordpress-site-with-defender-and-the-hub\/\" target=\"_blank\">integrates perfectly with The Hub<\/a>.<\/p>\n<h2 id=\"tools\">2. WordPress Tools<\/h2>\n<p>The WordPress Tools section might not be somewhere you check into often, however, the <strong>Site Health<\/strong> menu can be pretty valuable, and is worth the odd visit.<\/p>\n<p>This tool also offers more than just security recommendations and will provide more information than any of the external tools as it is linked directly with your site.<\/p>\n<figure id=\"attachment_194649\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194649\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/wp-tools-recommendations.png\" alt=\"Screenshot of the WordPress tools recommendations.\" width=\"600\" height=\"441\" \/><figcaption class=\"wp-caption-text\">Even the Performance suggestions can help with security &#8211; better update the PHP version!<\/figcaption><\/figure>\n<p>If you click on each recommendation, you will get some pretty useful further details.<\/p>\n<figure id=\"attachment_194650\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194650\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/inactive-themes.png\" alt=\"Screenshot of the list of inactive themes.\" width=\"600\" height=\"293\" \/><figcaption class=\"wp-caption-text\">This information can make keeping on top of inactive themes and plugins so much easier!<\/figcaption><\/figure>\n<p>You can also check out the list of passed tests so that you know what you\u2019re doing right.<\/p>\n<figure id=\"attachment_194651\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194651\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/18-issues.png\" alt=\"Screenshot of the 18 rectified issues.\" width=\"600\" height=\"443\" \/><figcaption class=\"wp-caption-text\">It\u2019s always reassuring to know when things are taken care of.<\/figcaption><\/figure>\n<p>It\u2019s built right into your WordPress installation so it should only take a minute or two to carry out a quick check every once in a while.<\/p>\n<h2 id=\"wprecon\">3. wpRecon<\/h2>\n<p>It\u2019s good to get an idea of any information about your site which is publicly accessible, as this can be used by hackers to find ways to compromise your security.<\/p>\n<p>One of the best ways to find out what information is readily available is by using a third-party tool that isn\u2019t linked to your site.<\/p>\n<p><a href=\"http:\/\/wprecon.com\/\" target=\"_blank\">wpRecon<\/a> is one of these tools.<\/p>\n<p>Simply input the URL of the site you want to test.<\/p>\n<figure id=\"attachment_194652\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194652\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/wprecon-start-scan.png\" alt=\"Screenshot of the box from which you can run your scan.\" width=\"600\" height=\"301\" \/><figcaption class=\"wp-caption-text\">You can test any site you wish.<\/figcaption><\/figure>\n<p>The test will give you a variety of results, with the first set being in relation to your server type, IP address, and a check of the version of WordPress you\u2019re running.<\/p>\n<figure id=\"attachment_194653\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194653\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/passive-analysis.png\" alt=\"Screenshot of information obtained from the WPrecon scan.\" width=\"600\" height=\"519\" \/><figcaption class=\"wp-caption-text\">This is all information that can be obtained with just your URL!<\/figcaption><\/figure>\n<p>It will also inform you of any plugins that are reading the HTML source of the website\u2019s front page, check for information it can find about the theme, and try to list the contents of uploads and plugins folders.<\/p>\n<figure id=\"attachment_194654\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194654\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/directory-indexing.png\" alt=\"Screenshot of the results of the test which tries to access your folders.\" width=\"600\" height=\"396\" \/><figcaption class=\"wp-caption-text\">It is good to be aware if Directory Indexing is enabled on your site.<\/figcaption><\/figure>\n<p>A routine check using a tool such as wpRecon will help you identify if there are any big holes, ready for hackers to walk through.<\/p>\n<h2 id=\"virustotal\">4. VirusTotal<\/h2>\n<p><a href=\"https:\/\/www.virustotal.com\/gui\/\" target=\"_blank\">VirusTotal<\/a> is another free online tool for scanning sites, documents, and IP addresses. It has a database of over 70 antivirus scanners and URL\/domain blacklisting services.<\/p>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\">\n<figure id=\"attachment_194655\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-194655 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/virustotal-list.png\" alt=\"Screenshot of some of the partners that VirusTotal uses.\" width=\"600\" height=\"401\" \/><figcaption class=\"wp-caption-text\">These are just a few of the databases that VirusTotal checks.<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>If your site is clean, you should be good to go, however, if any of the databases pick up something malicious, it could be that you have malware.<\/p>\n<p>If this is the case, it could be worth <a href=\"https:\/\/wpmudev.com\/blog\/wordpress-malware-scan\/\" target=\"_blank\">running a full malware scan<\/a>.<\/p>\n<p>You can also check some further details regarding your site.<\/p>\n<figure id=\"attachment_194656\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194656\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/outgoing-links.png\" alt=\"Screenshot of the result of the outgoing links check.\" width=\"600\" height=\"205\" \/><figcaption class=\"wp-caption-text\">It\u2019s good to check whether any external links have been added to your site without your knowledge.<\/figcaption><\/figure>\n<p>VirusTotal shares the result of the scan with the examining partners that it uses. This grows their virus and knowledge databases, helping to fight the fight against malware and hackers.<\/p>\n<h2 id=\"mozilla\">5. Mozilla Observatory<\/h2>\n<p><a href=\"https:\/\/observatory.mozilla.org\/\" target=\"_blank\">Mozilla Observatory<\/a> is slightly different from the tools we\u2019ve looked at above, as it offers a few separate types of tests.<\/p>\n<p>When you first run the scan, it will test vulnerabilities in relation to HTTP. It will then give your site a score in the form of a letter.<\/p>\n<figure id=\"attachment_194657\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194657\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/observatory-scan.png\" alt=\"Screenshot of the result of the test.\" width=\"600\" height=\"339\" \/><figcaption class=\"wp-caption-text\">Yeah, not the best score &#8211; but this is why checks like this are useful!<\/figcaption><\/figure>\n<p>Scroll down to see which of the tests you failed (if any).<\/p>\n<figure id=\"attachment_194658\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194658\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/test-scores.png\" alt=\"Screenshot of the test scores.\" width=\"600\" height=\"570\" \/><figcaption class=\"wp-caption-text\">You will be able to see how you scored on all of the 11 tests.<\/figcaption><\/figure>\n<p>Click on the name of each test to be taken to a page created by Mozilla which fully explains what it means.<\/p>\n<p>After the first scan, you can also initiate further ones to check if access to your site can be gained through SSH (it would be very concerning if this was the case!) and extra tests with third-party companies ImmuniWeb, securityheaders.com, and hstspreload.org.<\/p>\n<h2 id=\"google\">6. Google Transparency Report<\/h2>\n<p>Google\u2019s <a href=\"https:\/\/transparencyreport.google.com\/safe-browsing\/search?url=kirstanblog.wpmudev.host\" target=\"_blank\">Transparency Report<\/a> isn\u2019t really the answer for checking for vulnerabilities on your own site, however, there\u2019s a reason it made it to this list.<\/p>\n<p>The reason it won\u2019t be much help when it comes to your own site is that it only tells you whether or not it finds anything unsafe, it doesn\u2019t tell you what the unsafe content is.<\/p>\n<p>This makes it pretty redundant when checking on your own site but can come in useful when checking a site you want to visit.<\/p>\n<p>If you\u2019re nervous about visiting a URL for the first time, you can simply input it into Google Transparency Report\u2019s search bar, and let it check it out for you.<\/p>\n<figure id=\"attachment_194659\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-194659\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/01\/google-transparency.png\" alt=\"Google transparency search results.\" width=\"600\" height=\"431\" \/><figcaption class=\"wp-caption-text\">It provides a basic yes or no answer as to whether the site is safe to visit.<\/figcaption><\/figure>\n<p>So yes, whilst it may not be the answer to checking for holes in your site security, it\u2019s a pretty good tool to have in your bag!<\/p>\n<h2>Stay One Step Ahead<\/h2>\n<p>Carry out regular checks on your site using a variety of tools to make sure you identify any vulnerabilities before hackers or bots sniff them out.<\/p>\n<p>Many of the issues picked up by these tools are quick and easy fixes, so schedule in regular checks as part of your site security process.<\/p>\n<p>If you want to know how to make sure you haven\u2019t missed anything when it comes to setting up the protection for your WordPress site, be sure to check out our <a href=\"https:\/\/wpmudev.com\/blog\/checklist-for-securing-wordpress-site\/\" target=\"_blank\">16-step checklist<\/a> to total site lockdown.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We think our security plugin, Defender, is pretty darn good, but we\u2019d never tell you to put all your eggs in one basket. Even with a super-reliable and robust security plugin, you should still carry out extra checks on your site&#8217;s security\u2026 Gone are the days where the only way to infiltrate someone\u2019s computer or [&hellip;]<\/p>\n","protected":false},"author":801248,"featured_media":199227,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"blog_reading_time":"","wds_primary_category":0,"wds_primary_tutorials_categories":0,"footnotes":""},"categories":[263],"tags":[],"tutorials_categories":[],"class_list":["post-194641","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials"],"_links":{"self":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/194641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/users\/801248"}],"replies":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/comments?post=194641"}],"version-history":[{"count":14,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/194641\/revisions"}],"predecessor-version":[{"id":194974,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/194641\/revisions\/194974"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media\/199227"}],"wp:attachment":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media?parent=194641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/categories?post=194641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tags?post=194641"},{"taxonomy":"tutorials_categories","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tutorials_categories?post=194641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}